- Description
- Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to code injection. The ckpt_path2 variable takes user input (e.g. a path to a model) and passes it to change_info_ function, which opens and reads the file on the given path (except it changes the final on the path to train.log), and passes the contents of the file to eval, which can lead to remote code execution. As of time of publication, no known patches exist.
- Source
- security-advisories@github.com
- NVD status
- Awaiting Analysis
CVSS 4.0
- Type
- Secondary
- Base score
- 8.9
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- HIGH
- security-advisories@github.com
- CWE-94
- Hype score
- Not currently trending
🚨 CVE-2025-43845 🔴 HIGH (8.9) 🏢 RVC-Project - Retrieval-based-Voice-Conversion-WebUI 🏗️ <= 2.2.231006 🔗 https://t.co/KaJuP86HaX 🔗 https://t.co/PYxTWSjXF7 🔗 https://t.co/7VwDXr5FIW 🔗 https://t.co/beRPvEZoKf #CyberCron #VulnAlert #InfoSec https://t.co/b
@cybercronai
7 May 2025
22 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-43845 Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to code injection. The ckpt_path2 var… https://t.co/d4kluilzQ6
@CVEnew
5 May 2025
251 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2025-43845: HIGH] Vulnerable versions of Retrieval-based-Voice-Conversion-WebUI allow code injection through user input. No patches available at this time. #CyberSecurity#cve,CVE-2025-43845,#cybersecurity https://t.co/0gFgQetpwG https://t.co/VZnJWGA31S
@CveFindCom
5 May 2025
35 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes